MeDISAO is an information sharing and analysis organization
What is an ISAO?
Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing - encourages the development of Information Sharing Analysis Organizations (ISAOs), to serve as focal points for cybersecurity information sharing.
ISAO's are employed for the purpose of:
Gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems
Communicating or disclosing critical cyber and related information to help prevent, detect, mitigate, or recover from the effects of an interference, compromise, or incapacitation problem related to cyber systems
Voluntarily disseminating critical cyber and related information to its members; federal, state, and local governments; or any other entities that may be of assistance in carrying out the purposes specified above
Why should I join MedISAO?
MedISAO understands the regulatory, safety, and business needs of the medical device industry. Our analysis, best-practices and information sharing is targeted directly to small-to-medium sized medical device manufacturers and service providers. Our community is dedicated to sharing relevant information on best practices, new threats and vulnerabilities. Members of MedISAO get a head start in complying with cybersecurity guidances, real-time access to cybersecurity threats, tools and training from cybersecurity experts, and networking opportunities with other members. MedISAO member organizations can avoid costly reporting procedures (21 CFR 806) when cyber vulnerabilities are discovered in the field, as long as certain conditions are met.Member organizations can use MedISAO's Coordinated Vulnerability Disclosure process, which fulfills a key tenet of the FDA's Guidance on Postmarket Management of Cybersecurity in Medical Devices.
how much does it cost?
See our pricing page.
How does MedISAO protect confidential information?
Companies can avoid costly corrective action reporting requirements (21 CFR 806) by reporting vulnerabilities directly to MedISAO. However, this may cause concern that MedISAO does not adequately protect confidentional information of its members.
Any member that shares information with MedISAO will specify the level of visibility of that information using a "Traffic Light Protocol", based on the familiar concepts of green/yellow/red:
White: No limits on publication -- can be shared with general public or news organizations
Green: Can be shared with other ISAOs and their members
Amber: Can be shared with organizational members of MedISAO, only if they have signed a NDA
Red: Cannot be shared at all
All confidential information is submitted on our secure webform (using the same TLS encryption as bank websites) and is stored in encrypted storage on our servers.
Alternatively, members can submit information via email with PGP encryption. Click here for our PGP public key.
Payment information is securely stored offsite via Stripe.
What are MedISAO's documented policies?
How do I report a vulnerability in a device?
MedISAO runs a Coordinated Vulnerability Disclosure Program free for our members.
Report a vulnerability, and we will share it securely with the affected member organization.
What is expected of members?
There are no minimum participation requirements for members, but obviously we encourage all members, individual and organizational, to participate and contribute as much as possible.
Specifically, we encourage members to:
Submit any vulnerabilities to MedISAO through our Secure Vulnerability Disclosure form
Specify those vulnerabilities with as permissive level of visibility as possible, so the information can be useful to others
Take advantage of our Coordinated Vulnerability Disclosure Program, included free for all organizational members
Participate in the member discussion forums by asking questions and sharing their expertise
Read through our training materials and adopt best practices in their own organizations to make everyone safer
Who is MedISAO?
MedISAO does not publish a complete list of member organizations, but you can see a partial list of members on the home page.
MedISAO is organized by MedCrypt, Inc., a healthcare-first cybersecurity company.